Post-Image

AWS vs. Azure - Object Storage Blob Access Part 3

The last concept we are going to talk about surrounding blob access is the idea of anonymous access. Unless you’ve been hiding under a rock this past few years, public access to object storage (particularly S3 buckets) have been a common “attack” vector against companies. In the past, S3 buckets were quite easy to mark as publicly accessible, leading to lots of issues.

As with everything, anonymous access is done a little bit differently in each cloud provider. Azure allows for anonymous access to be turned on in a read-only fashion at the container level. From a permission perspective, there is:

  • No public access
  • Public read/list access
  • Public read access

The difference between 2 and 3 above is simple, one allows for blob enumeration, where as the other you would have to know the exact name of the blob you are trying to reference. In AWS, bucket policies are used to grant anonymous access. Since bucket policies have effectively the same settings as IAM policies, you are allowed to define a principle (in this case *) and a permission set on a set of resources.

In Azure, you can set anonymous access for a container via ARM template. See https://docs.microsoft.com/en-us/azure/templates/microsoft.storage/2018-07-01/storageaccounts/blobservices/containers for more information. For reference:

{
  "name": "string",
  "type": "Microsoft.Storage/storageAccounts/blobServices/containers",
  "apiVersion": "2018-07-01",
  "properties": {
    "publicAccess": "string",
    "metadata": {}
  },
  "resources": []
}

Public access is a string that can be either Container, Blob, or None. It is not a required field, and defaults to none. Container = Read/List and Blob = Read Only

In AWS, the bucket policy is easy to define. Here is an example (referenced from https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html#example-bucket-policies-use-case-2)

{
  "Version":"2012-10-17",
  "Statement":[
    {
      "Sid":"AddPerm",
      "Effect":"Allow",
      "Principal": "*",
      "Action":["s3:GetObject"],
      "Resource":["arn:aws:s3:::examplebucket/*"]
    }
  ]
}

You could specify any s3 related action you wanted in this bucket policy, allowing for more use cases such as anonymous writes (which is likely not recommended)

 

About Shamir Charania

Shamir Charania, a seasoned cloud expert, possesses in-depth expertise in Amazon Web Services (AWS) and Microsoft Azure, complemented by his six-year tenure as a Microsoft MVP in Azure. At Keep Secure, Shamir provides strategic cloud guidance, with senior architecture-level decision-making to having the technical chops to back it all up. With a strong emphasis on cybersecurity, he develops robust global cloud strategies prioritizing data protection and resilience. Leveraging complexity theory, Shamir delivers innovative and elegant solutions to address complex requirements while driving business growth, positioning himself as a driving force in cloud transformation for organizations in the digital age.

Share This Article

Comments